An individual's right to keep medical records and information confidential. During medical treatment, doctors become aware of information concerning their patients through either their diagnoses and observations or what information patients provide. Information intended for medical professionals to treat patients is confidential and must not ordinarily be released to anyone else.

The issue of medical confidentiality arises when information obtained in the course of medical treatment is of interest to others. In such circumstances, two questions must be answered. First, does the doctor have the discretion to disclose the information? If so, then the disclosure of information obtained through the medical treatment is permitted. Second, is the disclosure legally required? For example, law enforcement authorities usually must be informed of cases where the doctor treats a gunshot victim. Health authorities usually must be informed of all HIV-positive carriers.

In the United States, a person is entitled to certain fundamental rights, one of which is privacy. Confidentiality of medical records is recognition of the individual's right to privacy. Not only do individuals benefit from legal protection of their medical confidentiality but society benefits as well. A system of efficient medical treatment may exist if the physician has the maximum amount of relevant information on the patient. In many circumstances, the patient divulges this information only if confidentiality is maintained. The social benefit of having an open exchange of information between doctor and patient may be why physicians have agreed to safeguard the confidentiality of their patients and patient records since the time of the Hippocratic Oath. Despite the fact that the judicial right of privacy has been first legally recognized by the United States beginning in the twentieth century, the doctor's duty to maintain his or her patient's right of confidentiality has existed for at least 2,400 years.

Anglo-American common law did not specifically articulate an obligation by physicians to maintain patient confidentiality. All fifty American states have enacted legislation, however, creating a duty of confidentiality for physicians. Courts also found a duty of medical confidentiality based on the theories of breach of contract, breach of fiduciary relationship, breach of implied promise of confidentiality, licensing statutes and testimonial privilege that reflect a policy basis for secrecy, and the inherent right of privacy. Whether the duty of medical confidentiality is based on the doctor-patient relationship, on the professional obligations of the doctor as a physician, on the privacy rights of the patient or on the statutes, the scope of this duty of confidentiality is not unlimited. Some of the limitations are specified by statute, while the courts have inferred others.

The most commonly invoked exception is the common law duty of doctors to warn persons who may be endangered by their patients. For example, if a physician fails to warn a person who might be endangered by his or her patient through the spread of disease, the doctor will be guilty of negligence. At a minimum, doctors must exercise reasonable care to advise members of the family and others, who are liable to be exposed to it, of the nature of the disease and the danger of exposure. Notably, this obligation does not extend to unforeseeable victims or the general public. A doctor has no duty to warn persons at large when his or her patient is potentially dangerous to a large segment of the community. There must be a specific victim or a readily identifiable limited class of victims. All states have enacted statutes, however, that require doctors to report certain communicable diseases or infections to public health agencies.

Doctors must also report cases of child abuse, dangerous patients, gun or knife wounds that appear to have been intentionally inflicted, and occupational diseases or injuries. Many states also require doctors to report information on certain prescription drugs, abortions, cancer, and battered adults.

Although most states recognize a doctor-patient testimonial privilege, this privilege is more limited than it appears. In some states, the privilege does not apply in criminal proceedings and when the patient puts his or her condition at issue. The doctor-patient privilege and its exceptions apply only to court proceedings. Outside the courtroom setting, there are other exceptions to physician-patient confidentiality, in addition to the compulsory reporting requirements. These exceptions include medical emergencies, processing health insurance claims, professional peer review, and access by researchers and auditors.

The United States provides relatively few exceptions to the duty of medical confidentiality. In the United States, the obligation of a doctor to maintain confidentiality usually occurs only if he or she was the attending physician. Similarly, the doctor-patient testimonial privilege is limited to communications during treatment.

In contemporary times, growing concerns regarding privacy have made medical confidentiality a major issue. The AIDS epidemic, the increase in genetic testing, the growth of managed healthcare, and electronic record keeping gave rise to serious concerns about patient rights to medical confidentiality.

Several different degrees of protection cover the confidentiality of medical information. On a most basic level, physicians are guided by a professional ethical code to preserve patient confidences. State evidence laws provide protection for medical confidentiality by recognizing a privilege for physician-patient communications. Many states also have confidentiality statutes to restrict disclosure of confidential medical information.

Federal courts have also recognized a constitutional privacy interest in protecting confidential medical information; however, this right is not absolute. Courts have compromised the right to privacy in favor of other constitutional rights. For example, in United States v. Lindstrom, 698 F.2d 1154 (11th Cir., 1983), the Court held that the defendant had a right to know private medical information of a witness testifying against her based on her Sixth Amendment rights under the confrontation clause.

Because of the presumption that prisoners surrender some constitutional rights pursuant to their incarceration, the question remains whether inmates possess a constitutional right to medical confidentiality.

In 1996 the Health Insurance Portability and Accountability Act (HIPAA), 110 Stat. 1936, became law. This law has had a great impact on the healthcare industry, including the need for several changes in how medical professionals communicate with their patients, their families, and with each other. HIPAA provides rights to patients and safeguards for employees. It affects all medical professionals and medical staff. The medical profession has stressed how important confidentiality is in all patient matters. The codes of ethics for the various medical professions clearly stress the medical professional's role in promoting and advocating for patient's rights related to privacy and confidentiality. For medical professionals, HIPAA endorses the long-articulated responsibility of medical professionals to their patients.

Because privacy and confidentiality are fundamental rights in U.S. law, safeguarding those rights regarding personal health information is the ethical and legal obligation of medical providers. Maintaining such safeguards is becoming increasingly challenging in the medical environment.

Through and their knowledge, training, and experience, every medical professional understands and respects the need for patient confidentiality. As professionals, their connection to patients and colleagues depends on ensuring such patient confidentiality. Advanced technology and new demands on healthcare—and computer hacking—make it increasingly difficult to keep this promise.

All medical professionals must safeguard the patient's right to privacy. The need for healthcare does not justify unwanted intrusion into the patient's life or affairs. Medical professionals advocate for an environment that provides sufficient physical privacy, including auditory privacy for discussions of a personal nature, and policies and practices that protect the confidentiality of information.

The medical professional must also maintain confidentiality of all patient information. The patient's well-being could be jeopardized, and the fundamental trust between patient and medical professional could be destroyed by unnecessary access to data or by the inappropriate disclosure of identifiable patient information. The rights, well-being, and safety of the individual patient should be the primary factors in arriving at any professional judgment on the disposition of confidential information received from or about the patient, whether oral, written, or electronic. The standard of healthcare practice and the medical professional's responsibility to provide quality care require that relevant data be shared with those members of the medical team who have a need to know. Only information pertinent to a patient's treatment and welfare is disclosed, and only to those directly involved with the patient's care. Duties of confidentiality are not absolute, however, and may need to be modified to protect the patient, to protect other innocent parties, and in circumstances of mandatory disclosure for public health reasons.

Information used for purposes of peer review, third-party payments, and other quality improvement or risk management may be disclosed only under defined policies, mandates, or protocols. These written guidelines must ensure that the rights, well-being, and safety of the patient are protected. Only that information directly relevant to a task or specific responsibility should be disclosed. When using electronic communications, a special effort should be made to maintain data security.

Medical professionals handle confidential information on a daily basis and must ensure its confidentiality. To emphasize the importance of this duty, all medical professionals must know and understand the privacy requirements of HIPAA and apply this in their work to better protect patient confidentiality.

Health Insurance Portability and Accountability Act (HIPPA)

The Health Insurance Portability and Accountability Act (HIPAA), 110 Stat. 1936 (1996), was the first federal statute to ensure that the medical insurance information of every patient throughout the United States would be protected. These privacy provisions limit access to a patient's health information and its use. Hospitals and providers may use this information only for treatment, obtaining payment for care, and specified operational purposes such as improving the quality of care. Hospitals and providers must inform patients in writing of how their health data will be used; establish systems to track disclosure; and allow patients to review, obtain copies, and amend their health information.

HIPAA established standards and requirements for the electronic transmission of certain health information (eligibility requirements, referrals to other physicians, and health claims). HIPAA protects a patient's rights to the confidentiality of his or her medical information and creates federal civil and criminal penalties for improper use or disclosure of protected health information.

Confidentiality protects patient information, such as the basic identifiers of the patient's past, present, or future physical or mental health conditions, including the provision of health services and payment for those services. Under HIPAA, patients received significant new rights to understand and control how their health information and insurance is used or shared.

In a conceptual framework, a patient's health information record is the collection of all health information in all media generated on the patient under a unique personal identifier and across the continuum of care. The record is created for every patient who receives treatment, care, or services at each institution or health network and is maintained for the primary purpose of providing patient care. It is also used for financial and other administrative processes, outcome measurement, research, education, patient self-management, disease prevention, and public health activities. The record has sufficient information to identify the patient, support the diagnosis(es), justify the treatment, document the course and results of treatment, and facilitate the continuity of the patient's care. The health information or data contained in the record belongs to the patient, even though the physical record (either electronic or paper) belongs to the institution.

Establishing and maintaining patients' trust in their caregivers is critical to obtaining a complete medical history, obtaining an accurate health record, and implementing an effective treatment plan. If a medical professional fails to protect the patient's privacy, the erosion in the relationship may have dire consequences to the medical professional–patient relationship. At the same time, the reality of the paradigm in which medical professionals practice gives rise to a variety of troubling confidentiality issues. Busy, frequently overcrowded hospitals are not conducive environments for guaranteeing confidentiality.

Technology and medical confidentiality

Electronic messaging and new computer technology, though quick and efficient, have major security issues and must be taken into account. When communicating patient information from one medical professional to another, one must realize that others besides the addressee may view the message, electronic messages may be mistakenly misdirected, electronic communication may be accessed from various locations, or information compiled by one medical professional may be sent electronically to other medical professionals. The Internet does not provide a secure medium for transporting confidential information unless both parties are using encryption technologies.

Fax machines are perhaps the least secure technology for transmitting patient information. Statutory law prohibits certain types of information, including genetic test results, HIV information, and sexual assault counseling, from being faxed outside an institution without appropriate written authorization. All fax cover sheets should contain the standard warning that reads: “The information within this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender immediately and destroy all copies of this message and any attachments.”

All medical professionals have the duty to protect the well-being of those who are entrusted to their care. Protecting the integrity of the medical professional–patient relationship and patient rights is a sacred trust. The issue of medical confidentiality is an essential part of medical practice in the United States. Confidentiality is not just a responsibility of the medical professional but also a right of the patient. Thus, it is the patient, and not the doctor, who may choose to waive this right. Certain exceptions apply where the doctor is not only allowed but required to offer confidential medical information for the social good. Many of the exceptions to medical confidentiality in the United States are based on common law.

In the United States, the right to privacy is frequently implied from common law theories, including contract, fiduciary relationship, implied promise, public policy, and the general right of privacy. The main concept behind medical confidentiality is to encourage a free exchange of information between doctor and patient so that a fully informed physician can provide the best possible treatment. If a patient believes that the information will be kept confidential, the patient is likely to be more forthcoming in his or her discussions with the physician. Thus, in the United States, a physician is not permitted to reveal the medical secrets of his or her patient except in criminal proceedings or where the patient puts his or her condition in issue.

Further Reading

See also: Fair information practices principles (FIPPs); Health Care Information; Health Insurance Portability and Accountability Act of 1996 (HIPAA); HIV testing; Privacy Laws, State; The Right to Privacy